ALG是什么
翻译过来是应用层网关的意思,可用在多个4层或7层协议中,例如FTP这样的多通道协议,策略只放行控制端口,而没有放行数据端口,开启ALG后,无需放行数据端口,防火墙会动态检测并创建session
以下引用自juniper的官方文档
ALGs for packets destined to well-known ports are triggered by service type. The ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to permit the traffic to pass securely through the device:
- When a packet arrives at the device, the flow module forwards the packet according to the security rule set in the policy.
- If a policy is found to permit the packet, the associated service type or application type is assigned and a session is created for this type of traffic.
- If a session is found for the packet, no policy rule match is needed. The ALG module is triggered if that particular service or application type requires the supported ALG processing.
Microsoft RPC ALGs
实际问题的处理
在客户环境中,遇到过SCCM推送不成功,查看juniper防火墙的log,有如下报错Dec 26 06:45:04 juniper junos-alg: RT_ALG_WRN_CFG_NEED: MSRPC ALG detected packet from 10.1.1.1/59250 which need extra policy config with UUID:12345678-1234-abcd-ef00-01234567cffb or 'junos-ms-rpc-any' to let it pass-through on ASL session
日志比较频繁,约每几秒一次,UUID的最后几位不同 经确认SCCM需要交互的ip,得到防火墙的区域到,发现2个区域双向permit,匹配的源、目的地址和应用都是any。
然后添加了防火墙的策略,源和目的为any,application匹配如下set security policies from-zone trust to-zone test policy alg-policy match application junos-ms-rpc-any
然后发现不再报之前的日志了,问题不一定得到解决,仍待验证。。
juniper有一篇很有用的KB库,讲解这个问题的,链接:kb.juniper.net/InfoCenter/…
MS-RPC服务涉及微软知识太细,所以暂不再做深究
原理描述
J的文档中有一句很有用的话,如下
MS-RPC provides a way for a program running on one host to call procedures in a program running on another host.Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service program's universal unique identifier (UUID). The specific UUID is mapped to a transport address.
翻译过来是,MS-RPC在一个主机上运行的程序提供了一种调用在另一个主机上运行的程序中的过程的方法,因为RPC服务的大的端口需要广播,RPC服务的传输地址基于服务程序UUID(唯一标识符)动态协商,特定的UUID映射到一个传输地址。
预定义的MS-RPC服务
如何关闭/开启ALGs检测
user@host# set security alg msrpc disable
#关闭user@host# delete security alg msrpc
#开启 如果遇到上面提到的问题,可关闭msrpc检测测试
参考资料
Application Layer Gateways Feature Guide for Security Devices
Understanding Microsoft RPC Services